Posted
by
ScuttleMonkey
on Monday March 09, 2009 @06:22PM
from the more-data-about-a-problem-is-rarely-bad dept.

California State Senator Joe Simitian has introduced new legislation designed to tighten data breach notification requirements, forcing businesses to provide more information about any data that has been leaked in addition to notifying state authorities. What was not included in the legislation was imposed compensation requirements for data breach victims, and according to Simitian are not likely to be for quite some time. "Instead, the next focus of legislation, he said, would likely be on who should bear the cost of sending out notifications to consumers. For example, should a credit card processing company that experiences a breach be responsible for the cost of notifying bank customers? When retailer TJX discovered in 2006 that hackers had accessed credit and debit card numbers passing through its network, banks were left notifying the customers, then had to sue TJX to get compensation for those costs. Heartland Payment Systems, which experienced a breach of credit and debit card numbers in January, has recently been sued by banks to recover their breach notification costs."

What's the point of notifying the public that their data has been lost, when they can't do anything about it? At the very least, they should be able to sue in a class action. Ideally, there should be some government organisation that tracks down the identity/resource thieves, figures out what damage was done without the owner's knowledge, returns things to rights, then bills the company that leaked it for all the trouble caused. If the upshot is that people just get a letter saying they're screwed, then

it's highly embaressing and can have real business implications, that's why. imagine your the CEO of a million dollar company who's sole business is data warehousing and you have to admit millions of records have been stolen, publicly as well as reporting it to a government department.

Having received one such notification, it prompted me to keep a closer eye on my credit report and weigh the option of freezing my credit report [consumerist.com], thus making it harder for anyone to use my personally identifying info to borrow money under my name.

In my case, a previous employer who was breached explained the circumstances (something they never would have done without the law), and offered to pay for credit monitoring (not required AFAIK). A very responsible approach to their mistake.

A friend who was hit by the Univ. of CA breach was notified because of the law, but not offered monitoring.

These notifications were useful to the affected individuals, even if their expense alone may not in itself have been enough to motivate better security procedures at the breached organizations.

And obviously, if it happens again soon at either organization, people will raise hell.

I think it's fair to say that Level 1 merchants are taking PCI compliance pretty seriously, but I'm also sure many are making the trade off against the potential for legal exposure. After their breach, TJX took a nice hit to their stock price (off about 15%), but as it became clear that had little to no customer flight, it recovered well.
It makes good sense that the bill for notification costs should be served to the responsible party.

It's fairly obvious that the cost of informing customers - and other related costs - should be borne by the organisation who failed in their duty to ensure the integrity and confidentiality of the data. After all, until we are at a point where it is cheaper to take the measures to keep the data safe than to be delinquent, companies are incentivised to be delinquent.

I'm going to try to avoid the "Microsoft Blame Game" as frankly that gets us nowhere. But I will say that there are some older technologies that work better for transaction processing and storage than some newer, more contemporary systems.

And frankly, even though some processing and transaction systems are very convenient for both processors and consumers, I think it just might be time to rein in many of these conveniences as implementation of any sort is simply too risky.

All these reporting requirements are intended to add pressure to companies to take their systems security more seriously, but frankly, they will never listen until you tell them EXACTLY what is expected of them. Businesses are in the habit of managing risk that they feel is acceptable, but the problem is, they don't mind risking other people's data or their lives or anything else if it's not theirs directly.

When people handle food, the government steps in with inspectors and laws and all sorts of things to help better ensure that your burger will not kill you. This has proven to work pretty well even though it has not stopped violators entirely. The same should be required of people handling sensitive financial and other personal information.

Notification of a "breach" is all well and good, but in many cases there shouldn't be as much data to breach in the first place.

A recent personal example makes my point; I am a bit disturbed that both the University I graduated from decades ago, and the guy a bought a car from 3 years ago, both send me birthday cards... I don't find it a nice gesture, I find it just wrong that they have retained my personal ID info for their marketing purposes. Therefore I will stop donating to the university and I will not buy a car from that dealership again. (It's not like I signed up for the "birthday club" or anything. Obviously they have "mined" my data collected for other purposes.)

Seems like a better law would be that personal information be purged from the records of any place that has no legitimate reason to retain them.

Seems like a better law would be that personal information be purged from the records of any place that has no legitimate reason to retain them.

The lawyers will have a field day with the definition of "legitimate reason." The law needs to be more specific, something like if I tell you to drop my data you do it. I know it takes some customer action, but it's a hell of a lot better than we have now.

As a programmer, I should know that. If there is anything more pedantic than a stupid compiler, it's a fuckin lawer. Those guys must be idiots or assholes (Note the ambiguity of "fuckin" versus "stupid". It all depends on whether you've hired one to attack you or defend you - "fuckin" can be a good thing or bad.)

Currently, whoever collects data about you owns that data. We have no real rights about how that information is used, which is why most of it is sold for marketing purposes. There are some rules, like companies aren't supposed to store your credit card details without your permission, but many of them do because it's cheap to store and the information may be useful in the future.

The difficulty comes in defining what information is legitimate and why. For example, if I place an order online, they need my

You hit the nail. The personal data should be collected only when required to process any contract/transaction (only to the necessary extent) and deleted afterwords.

I also find it disturbing that anytime I express my willingness to buy something more expensive, there is no way to move forward without providing my address, and a telephone number.
The sellers do not even want to talk without this information. Later I get a few "happy" calls per day with offers of some kind. It is pretty annoying, and tak

If you value your privacy, you have to take measures to protect it. You can get a private mailbox for everything that wants an address and a phone that you give out freely, but don't bother answering unless you are expecting something.

Basically, you draw a clear distinction between your real life and your consumer persona. So you end up with a mailbox full of crap? If you know what you're looking for, you just throw away the rest. Same goes with answering machines on your line you give out to everyone -

I think that instead of all of these point solution laws that we keep passing aimed at specific facets of the consumer data protection process, we should put together a working group to pass a comprehensive law that addresses the real root problems.
Such a comprehensive approach could address items such as time to live, how data may be used/mined/obtained, information protection requirements, privacy and notification mechanisms and responsibilities for all parties concerned. Maybe if we take a wider, deepe

Why isn't there legislation in place to hold the companies accountable for your data loss if they were not taking appropriate precautions against data loss or breech? As someone who has had data compromised twice in the last year (once through my mortgage company and once through my employer) I feel that being notified promptly is a good first step but making companies accountable for their inaction would be more apt to prevent these events in the first place.